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1. (Currently Amended) A method for managing security information comprising the 

^ receiving raw computer events with a fusion engine from one or more data 

sources each data source comprising an intrusion detector ^^s., priorit y s^s to eac^ 
each raw computer event comprising one of suspcious computer actwrfy 

and a computer attack; 

classifying the raw computer events with the fusion engine by a^mm p each raw 

rnm puter ev^nt an event type parameter: 

storing the raw computer events; 

■ „ r ^„ ^ , nw cent er n r mt and its type with rnmpntnr environment 

information StQ "^ ™ * 1mowl^r- hased Aatabase; 

,^ r ;, r ^ramet er* to each raw corner rvent based on the 

* * r^ fr — r»* — t ^ * ^ wm the comp ! lter environmeq t 

inf qnrtation; 

jLuLpliiLnnnHnc- -^—^-^ "^v ^atus of each raw computer event 
should he adjust "* *™«*d on its r °^ oA P" anieters; 

tact based «™ the deter mination step; 

identifying one or more relationships between two or more raw computer events 
k y mto, ***** ** tvnc imrnnrtm and tha tt are executed with the fusion 

engine by^mmmg to determine if the two or more raw computer events are part of a larger 

computer attack; 

in response to identifying one or more relationships between two or more raw 
computer events, generating a mature correlation event message; and 

displaying one or more mature correlation event messages on one or more 
consoles that describe relationships between raw computer events. 



2. (Cancelled). 
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3 (Previously Presented) The mefcod of Claim 1, wherein the step of receiving raw 
coroputei events from one or more data sources further comprises the step of receiving readme 
raw computer events from one of intrusion detection system, a detector witmn an mtrus.on 

detection system, and a firewall. 

4 (Previously Presented) The method of Claim 1, wbereir. the step of receiving row 
computer ever.* from one or more data sources further comprises the step of receiviug ra» 
computer events from one of a file and database. 

5. (Currently Amended) The method of Claim l.wherein the step of classifying the raw 
computer events further comprises the steps of: 

iau ulifyi ng m ni m n t tjp i j i nrnrr ^ ^ m' rmf 

comparing the event type parameter with an event type category of a list; and 
assigning each raw computer event to a corresponding event type category in the 

list. 

6 (Currently Amended) The method of Claim 1, wherein the step of ^ing a mn l r in g 
L -i- U m . cnmpt- T ir-'rT M f~™ ^ *> ™* ™ C0TnpU ^ 

comprises the steps of: 

comparing parameters of each raw computer event with information in a database; 

and 

signing additional parameters to each raw computer event relating to the 
environment of the raw computer event. 

7 (Original) The method of Claim 6, wherein the additional parameters comprise one of 
a priority status, a vulnerability status, a historical frequency value, a source zone value, a 
destination zone value, a detector zone value, and a text string. 
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8 (Currency Amended) The me^ 
^e^e^e^ ^ * Twinrity status or le^S a pripnt^ofaiiw 
^ h, «^b~- - ^termination step, further comprises the steps of: 
identifying a priority status parameter of a raw computer event; 
comparing each raw computer event to formation contained in a ***** 

d ntr is~~H". irrmwtedge-based database; 

changing the priority status parameter of a respective raw computer event if a 
match occurs in response to the comparison step; and 

leaving the priority status in tact if a match does not occur in response to the 

comparison step, 

9 (Previous Presented) The method of Claim 1. wherein the step of identifying 
relationships between two or moreraw computer events further comprises the steps of: 

associating each raw computer event with one or more rules that correspond with a type 
parameter of the raw computer event; and 

applying each rule to its associated group of raw computer events; and 

determining if a computer attack or security breach has occurred based upon successful 

application of a rule. 

10 (Previously Presented) The method of Claim 1, wherein the step of storing raw 
computer events further comprises the step of storing each raw computer event in a high speed 
memory device comprising random access memory (RAM). 

U (Previously Presented) The method of Claim 1, further comprising the step of 
determining the intent of a computer attack based upon the type of mature correlation event 
generated. 
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12. (Previously Presented) The method of Claim 1, further comprising the steps of: 
creating a memory management list; 
identifying a time stamp for each raw computer event; and 
adding each raw computer event to the memory management list. 

13 (Previously Presented) The method of Claim 1, further comprising fho step of 
creating a raw computer event tracking index mat identifies one or more software components 
that are monitoring one or more raw computer events. 

14. (Currently Amended) A method for deterrnining relationships between two or more 

computer events, comprising the steps of: 

receiving a plurality of raw computer events wh* a fusion ftom on. or more 

intrusion detector, -fit ~ ir - «r*r to esrfr m ^mptfer even.. «* raw 

conrputer even, having a firs, set of parameters and comprising one of suspicious computer 

activity and a computer attack; 

creating raw computer event storage areas based upon information received from a raw 

computer event classification database; 

storing each event in an event storage area based upon an event type parameter; 

comparing each raw computer event to data contained in a context database wrth the 
fusion engine to determine if the two or more raw computer events are part of a larger computer 

attack; 

adjusting a priority parameter or leaving the priority parameter in tact for each raw 
computer event in response to the comparison to the context database; 

associating each raw computer event with one or more correlation events; 

applying one or more rules ronr ^nding with flir rvrnt type parameters to each raw 
computer event based upon the correlation event associations; and 

generating a mature correlation event message in response to each successful application 

of a rule. 

15. (Cancelled). 
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16 (Original) The method of Claim 14, wherein the context database comprises any one 
of vulnerability values, computer event frequency value*, source and destination zone values, 

and detector zone values. 

,7 (Original) The method of Claim 14, wherein the raw computer even, classification 
dafcbase comprises tables that include information that categorize, raw computer events based 
on any one of the fbllowing: how an activity indicated by a raw computer even, may .mpac, one 
. more targe, computers, how many target computers may be affected by an activity mdrcated 
by a raw computer ever* and how activities indicated by respective raw computer events gam 
access to one or more target computers. 

18 (Currently Amended) A security management system comprising: 

a plurality of data sources comprising intrusion detectors that nssipn a priority 

parameter to raw com puter events: 

an event collector linked to the plurality of data sources; 

a fusion engine linked to the event collector, said fusion engine identifying 
relationships between two or more raw computer events generated by the data sources and 
^ ^iontv r ~™*~ if n.e or mom editions are met, [[by]] yhe fusion en g ine 
using rule, — ^ ™th event W rwamete rs assifmed to each r» W computer event to 
determined if the two or more raw computer events are part of a larger computer attack, each 
raw computer event comprising one of suspicious computer activity and a computer attack, and 
a console linked to the event collector for displaying any output generated by the 

fusion engine. 

19. (Previously Presented) The security management system of Claim 18, wherein each 
intrusion detector runs in a kernel mode of a computer and the fusion engine runs in a user mode 
of the computer. 
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20 (PreviouslyPresented) The security management system of Claim 18, wherein each 
intrusion detector compri.es a chip, and the fusion en*ne comprises software running on a 

computer. 

21 (PreviouslyPresented) The security mamgeme.it system of Claim 18, wherein each 
intrusion detector comprises a board, and the Won engine comprises software running on a 

computer, 

22. (Currently Amended) A fusion engine comprising: 
a controller; 

an event reader for receiving raw computer events from intrusion detectors that 
. rjr , r w^v . arame te~ - ~* ™ ^nuter event, each raw computer event comprising one 
of suspicious computet activity and a computer attack; 

a classifier linked to the event reader for classifying the received raw computer 

events; 

a raw computer event classification database linked to the classifier; 

a context based risk-adjustment processor linked to the classifier, for adjusting 
priorities «■» > priority narameters of raw computer events; 

a context database linked to the context based risk-adjustment processor for 
.nntext nar,^- are assign^ to raw computer evfnts and that are used by the 
™ntevt based ri« ik -artiustment processor; and 

a rule database[[,]] nrnnprisea rules for identifying if one or more 
relationships exist between two or more events by determining if the two or more raw computer 
events are part of a larger computer attack. 

23. (Previously Presented) The fusion engine of Claim 22, further comprising an event 
reporter, a mature event list, a memory management list, and a raw computer event tracking 
index . 
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24 (Original) The fusion engine of Claim 22, wherein the context database comprises 
any one of vulnerabiHty values, computer event frequency values, source and destination .one 
values, and detector zone values. 

25 (Previously Presented) The fusion ermine of Claim 22, wherein the raw computer 
event classification dttabase comprises «*. tat include information that categories raw 

event may impact one or more tar*,, computers, how many target computers ma, be affected by 
an activity indicated by a raw computer event, and how activities indicated by respective raw 
computer events gain access to one or more target computers. 

26. (Currently Amended) A method for managing security information comprising the 

steps of: ^ ^ 

receiving with a fusion engine a raw computer event having a first ranking from 

one or more data sources comprising intrusion detectors, each raw computer event comprising 
one of suspicious computer activity and a computer attack; 

classifying Ihe raw computer event with the fusion engine by assign * each raw 

f ftm puter event an event type parameter; 

storing the raw computer event; [[and]] 

assigning a second ranking to the raw computer event with the fusion engine, 
***** the second ranking assesses risks of the raw computer event based upon a context of the 

raw computer even t - mid indicates^ 

^^ ^ftv^ first ranking each raw computer event should be adjusted , based 

™ itc eWorld ranking, and 

iH^tifving one or mnre relationsh i p* between two or more raw computer events 
hy „dn P rules associ^ with event Woe Tweeters to determine if the raw computer event is 
part of a larger computer attack. 

27. (Previously Presented) The method of Claim 26, wherein the first ranking comprises 
one or more relative values measuring potential risk or damage that is associated with the raw 
computer event. 
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28. (Previously Presented) The method of Claim 26, wherein the step of assigning a 
second ranking to each raw computer event further comprises the steps of: 

comparing parameters of each raw computer event with information in a database; 

and 

assigning additional parameters to each raw computer event relating to the 
environment of the raw computer event. 

29. (Previously Presented) The method of Claim 28, wherein the additional parameters 
comprise at least one of a priority status, a vulnerability status, a historical frequency value, a 
source zone value, a destination zone value, a detector zone value, and a text string. 

30. (Currently Amended) The method of Claim 26, wherein the first ranking comprises 
. priority status P ,™™*,r and the ste p -f Honing if the, first ranking of each, raw computer 
™* should be a d Mtftd based on «f ~*™A ranking farther comprises ulup of aligning n 
ee oond ranking to oaohraw oomputor ovout furthor compriooo tho ct n p r n f . 

id u uUfy u uj ft p riori ty n t n t ii n nim i nr*" nf " rni,r ™™P"*or ovfnt r 

comparing tbe second ranking of each raw computer event to information 

contained in a context database; 

changing the priority status parameter of a respective raw computer event if a 

match occurs in response to the comparison step; and 

leaving the priority status in tact if a match does not occur in response to the 

comparison step. 



[The remainder of this page has been intentionally left blank.] 
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31. (Currently Amended) A method for managing security information comprising the 

steps of: A 

receiving raw computer events with a fusion engine from one or more data 

sources comprising intrusion detectors tfnt issipr. a priori to raw computer even t, 
each raw computer event comprising one of suspicious computer activity and a computer attack; 

classifying the raw computer events with the fusion engine hy assigns each , 
computer flvent an ev^ t type parameter, 

nf a resn e^- event and its type, parameter with computer environment 

information; 

if a ntiorit y ^ »f «w nmriiinwr event should be admsted 

based on its context pa rameters; 

grouping two or more raw computer events into a high level correlation event 
with the fusion engine if the two or more raw computer events are part of a larger computer 
attack; 

in response to grouping the two or more raw computer events, jmplyvqfi one or 

more rules to the raw computer events; 

generating a mature correlation event message if application of a rule is 

successful ; and 

displaying one or more mature correlation event messages on a console that 

describe relationships between raw computer event s, w li u ub j d u uii il r I dimplr / nri n n 

tho oonGolo aro oubctantiolly minimiz ed. 

32. (Cancelled). 

33 (Previously Presented) The method of Claim 31. wherein the step of receiving raw 
computer events from one or more data sources further comprises the step of receiving real-time 
raw computer events from one of intrusion detection system, a detector within an intrusion 
detection system, and a firewall. 
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34 (Previously Presented) The method of Claim 31, wherein the step of receiving raw 
computer events from one or more data sources further comprises the step of receiving raw 
computer events from one of a file and database. 

35. (Cancelled). 

36. (Previously Presented) The method of Claim 31, wherein the step of classifying 
comprises the step of categorizing a raw computer event based on any one of the following: how 
a raw computer event may impact one or more target computers, how many target computers that 
may be affected by a raw computer event, and how respective raw computer events gain access 
to one or more target computers. 

37. (Previously Presented) The method of Claim 31, wherein the step of grouping two or 
more raw computer events further comprises the step of determining a time at which a respective 
raw computer event occurred relative to another raw computer event. 

38. (Previously Presented) A computer readable medium having computer-executable 
instructions for performing the steps recited in Claim 1 . 

39. (Previously Presented) A computer readable medium having computer-executable 
instructions for performing the steps recited in Claim 14. 

40. (Previously Presented) A computer readable medium having computer-executable 
instructions for performing the steps recited in Claim 26. 

41. (Previously Presented) A computer readable medium having computer-executable 
instructions for performing the steps recited in Claim 31. 

[The remainder of this page has been intentionally left blank.] 
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